Transport Committee on Dec. 13th, 2023

I call this meeting back to order.

I just want to verify that we do indeed have Mr. Strahl.

There he is—perfect.

Mr. Strahl, I'll turn the floor back over to you.

Thank you, Mr. Chair.

Continuing from the Canadian Civil Liberties Association's submission on Bill C-26—which, just to remind colleagues, is referred to in clause 124—we are deciding whether or not we believe that there should be a coordinating amendment with Bill C-26 in Bill C-33.

I am building the case for why I have concerns with that, and I'll just continue reading. Perhaps I'll go back just to make sure that information wasn't missed. It says:

Further, personal data can be anonymized or de-identified, but de-identified information requires additional protections. Anonymization involves permanently deleting identifying data, while de-identification involves stripping away and separating different bits of identifying information from one another or protecting identifying information through encryption or key (but not permanently deleting it). Anonymizing data is irreversible, while de-identified data can be re-identified. De-identified data requires greater protection than anonymized data, so Bill C-26 should ensure de-identified information is explicitly acknowledged as confidential.

As it stands, Bill C-26's proposed amendments to the Telecommunications Act do not designate personal and de-identified information as confidential under section 15.5(1). Nor for that matter does the Critical Cyber Systems Protection Act (CCPSA), which under section 6(1) does not flag personal or de-identified information as confidential. In order to protect this information, both Acts contained within C-26 need adjustment to better align with our privacy rights, freedoms, and democratic values.

“Handling Personal Information” is a new section.

Bill C-26 gives the Minister overbroad powers for handling personal information. Telecommunication companies, and companies likely to be designated under the CCSPA, collect, process, and store vast amounts of personal data and metadata, including call logs, messages, financial data, and location data. But as worded, Bill C-26 allows the Minister to share this type of personal information with anyone they designate...or who is prescribed by regulations..... It is one thing for government to ask designated operators for information about themselves and how they are complying with orders, but there needs to be a significantly higher standard when ordering companies to hand over information about their customers. This is especially important for telecommunication companies, given the high volume of personal information they hold about the public, and how telecommunications data can be used to identify individuals, track their movements, and monitor their communications. Bill C-26 should better protect the privacy of personal information and communications by creating a more effective stopgap between this information and the Minister’s ability to disclose it. The legislation should be amended so that the government must first obtain a relevant judicial order from the federal court before it can compel a telecommunications provider to disclose personal or de-identified information.

Further, Parliament should strengthen the Bill’s privacy protections when it comes to telecommunication providers and designated operators sharing information with foreign parties. In the proposed new section 15.7(1) of the Telecommunications Act:

“Any information collected or obtained under this Act, other than information designated as confidential under subsection 15.5(1), may be disclosed by the Minister under an agreement, a memorandum of understanding or an arrangement in writing between the Government of Canada and the government of a province or of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, if the Minister believes that the information may be relevant to securing the Canadian telecommunications system or the telecommunications system of a foreign state, including against the threat of interference, manipulation or disruption.”

The provision's breadth and vagueness would allow not only for tremendous ministerial overreach, but it could also lead to privacy risks that cross provincial and national borders, resulting as well in potential risks to life and security for affected individuals and groups. CCLA strongly urges the amendment of the Bill to preclude the Minister from sharing personal or de-identified personal information to foreign governments or organizations, and that the Minister should inform telecommunications providers and designated operators when—and to whom—information may be disclosed when the receiving party is a foreign state, agency, organization, or party.

Finally, Bill C-26 lacks strong provisions around data retention periods. Data should only ever be kept for as long as they are useful, and storing data indefinitely can increase the risks and harms of potential data breaches. Data retention periods are crucial for ensuring that any information obtained under either the Telecommunications Act or the CCSPA would be held only for so long as is necessary to make a legislative order, or to confirm compliance with such an order. CCLA recommends that the legislation be amended to make this data retention period as limited in duration as possible, and that the legislation include—to the extent that the legislation permits any data sharing—a requirement to attach data retention and deletion clauses in agreements or memoranda of understanding that are entered into with foreign governments or agencies.

The next section is “Ensuring Accountability for Mishandled Information”:

Bill C-26 lacks key accountability measures for privacy issues. Accountability is a core principle of effective government and should similarly be a core principle of Bill C-26.

A key accountability concern pertaining to privacy is that Bill C-26 does not allow individuals to seek relief if the government mishandles personal or de-identified information. Allowing for this recourse is an important step toward accountability for privacy violations. CCLA recommends that Bill C-26 be amended to enable individuals to seek relief if the government or a party to whom the government has disclosed their personal or de-identified information negligently loses control of that information and where that loss of control impacts the individual.

Their conclusion states:

In its current form, Bill C-26 undermines personal privacy and violates due process. Privacy and due process are not only essential to cybersecurity and the protection of our critical infrastructure but are also part of the very fabric of our democracy. The Bill gives government the power to collect broad categories of information about people, without adequate protections for information that should be deemed confidential. The Bill also threatens personal privacy and creates other serious risks and dangers to people by allowing government to distribute this sensitive information to domestic and foreign organizations without proper checks and balances. And the Bill contains inadequate mechanisms for people to seek appropriate redress in cases where their private information has been mishandled and abused.

In this submission, CCLA has recommended remedies to address these concerns while still enabling the legislation to fulfill its stated goals: bolstering cybersecurity across the financial, telecommunications, energy, and transportation sectors, and helping organizations better prepare, prevent, and respond to cyber incidents. We urge the Committee Members to adopt these proposals for strengthening Bill C-26.

The Canadian Civil Liberties Association has very grave concerns and has proposed some significant changes to Bill C-26.

Once again, for the purposes of clause 124, the first words are that if Bill C-26 receives royal assent, then on that day.... We go into whether or not there should be changes to Bill C-33. I think it's very important that we discuss whether or not we believe this clause should be passed, given the incredible concerns there are with Bill C-26.

IT World Canada is another one. If Mr. Iacono wants to go to that website, it's itworldcanada.com. I'll be reading a bit from that.

They have an article here, under their Industry Voices section, entitled “The Bill-C-26 Regulation and Its Implications for The Critical Infrastructures’ Cybersecurity in Canada”. It's by Frank Lawrence and Eric Jensen of Fortinet.

The article states:

As the last G7 nation and one of the few G20 nations without a firm regulatory framework around cybersecurity, Canada must act to protect the Nation’s critical infrastructure assets.

In 2016 member states of the European Commission (EU) passed what was called the most comprehensive cybersecurity bill in the history of the EU; the bill was called the NIS Directive. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive, ratified in 2023. NIS2 continues modernizing the legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape. Expanding the scope of the cybersecurity rules to new sectors and entities further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole. Most G7 member states are under the umbrella of the EU; the US, UK, and Japan have separately implemented cybersecurity regulations to differing degrees.

Canadian businesses continue to be impacted by malicious cyber activity, ranging from cyberattacks to ransomware. Many attacks, including those on critical infrastructure that account for nearly half, go unreported. Concerningly, the Canadian Centre for Cyber Security (CCCS) has identified attacks against OT networks as “the most pressing [threat] to the physical safety of Canadians” in their biennially published National Cyber Threat Assessments.

In this context, the Ministry of Public Safety acted to introduce new legislation, Bill C-26 An Act Respecting Cybersecurity. Bill C-26 passed its first step in Parliament in November of 2022 and went through its second reading on March 27th, 2023. [The bill]...sits in committee and is believed to go into legislation and law in the calendar year of 2023.

I'd say the article was a little optimistic there.

The primary focus of Bill C-26 is to add teeth to the governance and compliance of cybersecurity, especially in the much-needed Operational Technology (OT) area where critical infrastructure lies. Although the Bill has not yet received royal assent...between the absence of similar legislation in Canada and the trend towards increased cybersecurity regulation amongst our international peers, Canadian businesses would be wise to prepare.

Canada has yet to pass laws that govern cybersecurity, let alone require reporting vulnerabilities and critical infrastructure breaches; Bill C-26 would empower the regulators to impose fines or issue summary convictions to ensure governance and compliance.

Bill C-26, in its current form, includes four critical infrastructure sectors—Telecommunications, Finance, Energy, and Transportation. The requirement for organizations in these sectors is threefold:

1. Implement, maintain, and report on a cybersecurity program to address risk across the organization, third-party services, and supply chains.

2. Report any cyber incidents involving critical systems to the appropriate regulator and the Canadian Center for Cyber Security.

3. Use, or discontinue any specified product, service, or supplier.

The intended outcome of these requirements is to improve the standard of cybersecurity amongst critical operators and deepen the level of visibility the federal government has into the security operations of these organizations. It is known today that certain companies that are considered high-risk and vital to national security would become the federal government's focus.

Following the process of the proposed legislation (Bill C-26) and its passing, Federal Government departments will communicate with the companies impacted in the focused sectors with details on how breaches are to be reported and the required timeline for reporting. Furthermore, the companies must “keep records of how they implement their cybersecurity program, every cyber incident they have to report, any step taken—

I have a point of order.

My apologies, Mr. Strahl, but I have a point of order from Dr. Lewis.

Yes.

Chair, could you advise me whether the witnesses are also going to remain here until 11:30? I'm just curious. Because of the way we set up this meeting, I wasn't sure whether or not we have them for the whole time, or if we—

They will indeed be here until 11:30, and we are very grateful for their service to this committee.

Thank you, Dr. Lewis.

I'll turn it back over to you, Mr. Strahl.

To this committee and to all Canadians, Mr. Chair, we're grateful for that service. I'm just going to make sure I don't miss any of this important article here.

Following the process of the proposed legislation...and its passing, Federal Government departments will communicate with the companies impacted in the focused sectors with details on how breaches are to be reported and the required timeline for reporting. Furthermore, the companies must “keep records of how they implement their cybersecurity program, every cyber [security] incident they have to report, any step taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government-ordered action.”

Let’s be very clear, although only the four key sectors—Telecommunications, Finance, Energy, and Transportation—are considered in scope by Bill C-26, sectors such as agriculture and manufacturing are likely to be included later, as is the case in the EU. The Federal Government of Canada hopes this legislation will serve as a model for provinces and territories to implement similar legislation that regulates cybersecurity requirements for entities under their purview, including hospitals, police departments, and local governments.

To help companies comply with the requirements of Bill C-26—

They're now talking about their services, and I don't need to give them that free plug, Mr. Chair. I think we have an idea of what they think the merits of Bill C-26 are, as well as some concerns about it. You will note that the transportation sector obviously is mentioned as a key part of Bill C-26, which is likely why there is a reference in Bill C-33 in clause 124 to that piece of legislation. Again, we need to fully understand whether or not Bill C-33 should be coordinating amendments with a piece of legislation on which so many concerns have been raised.

I want to raise some other concerns. Obviously any time you're dealing with cybersecurity and so on, a charter analysis is going to be done. I referred to an article by the Citizen Lab in the Munk School of Global Affairs & Public Policy at the University of Toronto, but I also want to get into the details of a submission that was made to the Standing Committee on Public Safety and National Security concerning a charter analysis of cybersecurity and telecommunications reform in Bill C-26. This again was referenced in the previous article. This is the base documentation that gave rise to that article. I want to make sure we're not just hearing an interpretation of a report but also considering it directly.

This report goes on to say that:

On June 14, 2022, Bill C-26, an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in Parliament for the first reading by Canada's [now former] Minister of Public Safety, Marco Mendicino. Hearings on Bill C-26 are scheduled to begin in SECU on December 4, 2023.

That was very recently, Mr. Chair.

Kate Robinson, a Senior Research Associate and Lina Li made a written submission to the Standing Committee on Public Safety and National Security...regarding Bill C-26.

With an emphasis on privacy in particular, this submission tackles the issues Bill C-26 brings up regarding civil liberties and human rights. The fundamental tenets of accountable governance, due process, and our right to privacy are all at risk of being compromised by Bill C-26 in its current form. In order to better protect people’s right to privacy, this submission offers recommendations for how Bill C-26 can be implemented in terms of how the government and telecom companies define, manage, and safeguard people's personal information. The submission suggests that safeguards for the new government powers that the Bill establishes be included in order to address general shortcomings, such as issues with secrecy and transparency.

There is evidence that signaling protocols used by telecom companies for facilitating roaming services also enable networks to obtain incredibly detailed user data. Such extent of access with the telecom service providers poses an unprecedented risk to the privacy of individuals. Owing to the extent of data available with the telecommunications providers, the telecom sector has become a primal target for surveillance actors. In an attempt to address the concerns in the telecom ecosystem, this submission to the Standing Committee on Public Safety and National Security provides a critical response to the federal government’s Charter statement on Bill C-26.

The Citizen Lab welcomes the opportunity to submit to the Standing Committee on Public Safety and National Security. Our submission highlights how Bill C-26 will impact equality rights and freedom of expression while providing recommendations to address a series of thematic deficiencies identified in Bill C-26. To ensure that its actions adhere to Canada’s democratic values as well as the standards of accountability and transparency, the government must make changes to its legislation.

Below is the Citizen Lab’s full submission to SECU regarding Bill C-26.

The next part is called “Part 1. Introduction and Summary”.

1. Citizen Lab researchers routinely produce reports concerning technical analyses of information and communications technologies (ICTs), the human rights and policy implications surrounding government surveillance that occurs using ICTs, as well as the cybersecurity threats and digital espionage targeting civil society. Citizen Lab research has also examined the openness and transparency of government and organizations, including telecommunications providers, with respect to the collection, use, or disclosure of personal information and other activities that can infringe upon human rights.

2. This month, the Citizen Lab published “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure”, authored by Gary Miller and Christopher Parsons. The report provides a high-level overview of geolocation-related threats sourced from 3G, 4G, and 5G network operators. Evidence of the proliferation of these threats shows how the signalling protocols used by telecommunications providers to facilitate roaming also allow networks to retrieve extraordinarily detailed information about users. These protocols are being constantly targeted and exploited by surveillance actors, “with the effect of exposing our phones to numerous methods of location disclosure.” Risks and secrecy surrounding mobile geolocation surveillance are heightened by layers of commercial agreements and sub-agreements between network operators, network intermediaries, and third-party service providers. Ultimately, vulnerabilities in the signalling protocols have “enabled the development of commercial surveillance products that provide their operators with anonymity, multiple access points and attack vectors, a ubiquitous and globally-accessible network with an unlimited list of targets, and virtually no financial or legal risks.”

3. “Finding You” highlights the importance of developing a cybersecurity strategy that mandates the adoption of network-wide security standards, including a requirement that network operators adopt the full array of security features that are available in 5G standards and equipment. The report’s findings also underscore the importance of public transparency and accountability in the regulation of telecommunications providers. As the authors note, “[d]ecades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported.”

4. In short, it is long overdue for regulators to step in at national and international levels to secure our network services. However, Canada's approach to the regulation of telecommunications and cybersecurity also needs to be transparent, accountable, and compliant with applicable human rights standards. One year ago, Citizen Lab published “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”.... The report was authored by Dr. Christopher Parsons. Dr. Parsons critically examined the proposed draft legislation under Bill C-26, including identified deficiencies. In doing so, Dr. Parsons provided necessary historical and international context surrounding the federal government's proposed telecommunications sector reform. Canada is not the first of its allies to introduce new government powers as a result of heightened concern and awareness surrounding real and pressing risks to critical infrastructure. However, Dr. Parsons identified that although the draft legislation may advance important goals, its current iteration contained thematic deficiencies that risked undermining its effectiveness. This report is set out in Appendix B, and is the focus of this brief.

The main submissions in this brief are set out in two parts:

a. Part 2: Bill C-26 and the Canadian Charter of Rights and Freedoms (“Charter”):

You will be very concerned about that.

Part 2 of this Brief discusses the nexus between Bill C-26 and the Charter. It—

I have a point of order, Mr. Chair.

I'm sorry, Mr. Strahl. I have a point of order from Mr. Iacono.

The floor is yours, Mr. Iacono.

It is now 8:08 p.m. and the meeting has been going on for quite some time already. I am wondering what time you are thinking of taking a break. We have several people from the Department of Transport with us, in particular. I think they deserve a short break to stretch their legs and have something to eat, for example.

It is past 8:00. What is the plan for the evening, Mr. Chair?

Thank you, Mr. Iacono.

We had a break at around 7:30. As Chair, I planned to take another break at around 9:00.

The break at 7:30 was short, more of a bathroom break. A break to get something to eat is entirely different.

Mr. Iacono, if you like, we can take another five- or ten-minute break, but I don't know whether that is what you are looking for.

It isn't just for me; it is also for the witnesses who are with us. I think they deserve a bit of a break.

You can ask the committee's opinion, but I think we have to take into account the fact that these people are not used to being here so late.

Thank you, Mr. Iacono.

I am going to give the witnesses the floor just so they can confirm whether they need a break.

Thank you, Ms. Moriarty.

Mr. Iacono, the witnesses say they do not need a break.

So I am going to give the floor back to Mr. Strahl so he can continue his remarks.

Thank you very much, Mr. Chair.

Of course—

In that case, Mr. Chair, what time will the next break you are going to have be?

If it is okay with the committee, I propose to have the next break at about 9:00.

When will there be another break, after that one?

It will be at about 10:30. Then we will end the meeting at 11:30.

Thank you, Mr. Chair.

It's my pleasure, Mr. Iacono.

The floor is yours, Mr. Strahl.